Accepting request 873760 from home:scabrero:krb5_1_19_test

- Update to 1.19.1 * Fix a linking issue with Samba. * Better support multiple pkinit_identities values by checking whether certificates can be loaded for each value. - Update to 1.19 Administrator experience * When a client keytab is present, the GSSAPI krb5 mech will refresh credentials even if the current credentials were acquired manually. * It is now harder to accidentally delete the K/M entry from a KDB. Developer experience * gss_acquire_cred_from() now supports the "password" and "verify" options, allowing credentials to be acquired via password and verified using a keytab key. * When an application accepts a GSS security context, the new GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor both provided matching channel bindings. * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests to identify the desired client principal by certificate. * PKINIT certauth modules can now cause the hw-authent flag to be set in issued tickets. * The krb5_init_creds_step() API will now issue the same password expiration warnings as krb5_get_init_creds_password(). Protocol evolution * Added client and KDC support for Microsoft's Resource-Based Constrained Delegation, which allows cross-realm S4U2Proxy requests. A third-party database module is required for KDC support. * kadmin/admin is now the preferred server principal name for kadmin connections, and the host-based form is no longer created by default. The client will still try the host-based form as a fallback. OBS-URL: https://build.opensuse.org/request/show/873760 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=243
2021-02-19 12:56:34 +00:00 · 2021-02-19 12:56:34 +00:00 · ceafe406ff
commit ceafe406ff
parent 964a1412da
9 changed files with 130 additions and 36 deletions
--- a/0001-ksu-pam-integration.patch
+++ b/0001-ksu-pam-integration.patch
@ -1,4 +1,4 @@
-From ff26447c1edc29bf69672f1a55f8bb1c3f20f582 Mon Sep 17 00:00:00 2001
+From cb49731c07ee57f64bd5a93a182446bc834b9057 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 23 Aug 2016 16:29:58 -0400
 Subject: [PATCH 1/8] ksu pam integration
@ -30,10 +30,10 @@ Last-updated: krb5-1.18-beta1
 create mode 100644 src/clients/ksu/pam.h

 diff --git a/src/aclocal.m4 b/src/aclocal.m4
-index 2394f7e33..53f8b6fb7 100644
+index 024d6370c..43eed3b87 100644
 --- a/src/aclocal.m4
 +++ b/src/aclocal.m4
-@@ -1675,3 +1675,71 @@ if test "$with_ldap" = yes; then
+@@ -1677,3 +1677,71 @@ if test "$with_ldap" = yes; then
   OPENLDAP_PLUGIN=yes
 fi
 ])dnl
@ -144,11 +144,11 @@ index 8b4edce4d..9d58f29b5 100644
 clean:
 	$(RM) ksu
 diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
-index 4f03dd8ed..21a4d02bb 100644
+index af1286172..931f05404 100644
 --- a/src/clients/ksu/main.c
 +++ b/src/clients/ksu/main.c
@@ -26,6 +26,7 @@
-  * KSU was writen by:  Ari Medvinsky, ari@isi.edu
+  * KSU was written by:  Ari Medvinsky, ari@isi.edu
  */
 
 +#include "autoconf.h"
@ -174,7 +174,7 @@ index 4f03dd8ed..21a4d02bb 100644
 /***********/
 
 #define KS_TEMPORARY_CACHE "MEMORY:_ksu"
-@@ -535,6 +541,23 @@ main (argc, argv)
+@@ -536,6 +542,23 @@ main (argc, argv)
                prog_name,target_user,client_name,
                source_user,ontty());
 
@ -198,7 +198,7 @@ index 4f03dd8ed..21a4d02bb 100644
         /* Run authorization as target.*/
         if (krb5_seteuid(target_uid)) {
             com_err(prog_name, errno, _("while switching to target for "
-@@ -595,6 +618,24 @@ main (argc, argv)
+@@ -596,6 +619,24 @@ main (argc, argv)
 
             exit(1);
         }
@ -223,7 +223,7 @@ index 4f03dd8ed..21a4d02bb 100644
     }
 
     if( some_rest_copy){
-@@ -652,6 +693,30 @@ main (argc, argv)
+@@ -653,6 +694,30 @@ main (argc, argv)
         exit(1);
     }
 
@ -254,7 +254,7 @@ index 4f03dd8ed..21a4d02bb 100644
     /* set permissions */
     if (setgid(target_pwd->pw_gid) < 0) {
         perror("ksu: setgid");
-@@ -749,7 +814,7 @@ main (argc, argv)
+@@ -750,7 +815,7 @@ main (argc, argv)
         fprintf(stderr, "program to be execed %s\n",params[0]);
     }
 
@ -263,7 +263,7 @@ index 4f03dd8ed..21a4d02bb 100644
         execv(params[0], params);
         com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
         sweep_up(ksu_context, cc_target);
-@@ -779,16 +844,35 @@ main (argc, argv)
+@@ -780,16 +845,35 @@ main (argc, argv)
             if (ret_pid == -1) {
                 com_err(prog_name, errno, _("while calling waitpid"));
             }
@ -759,10 +759,10 @@ index 000000000..d45b9fd84
 +void appl_pam_cleanup(void);
 +#endif
 diff --git a/src/configure.ac b/src/configure.ac
-index 234f4281c..d1f576124 100644
+index 4eb080784..693f76a81 100644
 --- a/src/configure.ac
 +++ b/src/configure.ac
-@@ -1390,6 +1390,8 @@ AC_SUBST([VERTO_VERSION])
+@@ -1389,6 +1389,8 @@ AC_SUBST([VERTO_VERSION])
 
 AC_PATH_PROG(GROFF, groff)
 
@ -772,5 +772,5 @@ index 234f4281c..d1f576124 100644
 if test "${localedir+set}" != set; then
     localedir='$(datadir)/locale'
 -- 
-2.25.0
+2.30.0

--- a/krb5-1.18.3.tar.gz
+++ b/krb5-1.18.3.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e61783c292b5efd9afb45c555a80dd267ac67eebabca42185362bee6c4fbd719
-size 8715312
--- a/krb5-1.18.3.tar.gz.asc
+++ b/krb5-1.18.3.tar.gz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAl+0QQcACgkQDLoIV1+D
-ct8i0RAAtxhG66nmOSgL5xQ+kuTd1Gnq4GZjlAaAFKwU7xQX9wGctJNw5wThT+Ot
-X8CtUXAUqZKO1odWsdiDRUV++C3ppTZdHLzo2UUzp0YbjSsMf2e/ZLolEwthJkQt
-4eaqsUWTNHcePKlS9zsXdEUNRrjhzjDWS93Ppp1bLH1zQrUaPOEtLjkxY7r2yBgX
-SsJIe6/W9sv0WlndWhQBfPfCE5wQmIbYDDHxCrWabnLwzsLM4HCJSnEC02oMZIAS
-UiijoubyZS0UJ97EKzJLOgUr7B8h8cUmPru99FUvQfkWsTTLqt1yD5wHji8BiRU4
-Wh1z4y/E75E6GQybf97LY+x5czJbMycszteju6s/C9QHHeUoIgfpkVkoBBy4KufQ
-t4fbzR7o5W1l1mdJ0s6IBwO0O97LTW2qQ7fLhIleB9jF+c1DEowBE4/Naq/NGkn5
-zMagwYcU583mUtk4boR6boLzsym0841+w14DN9hDBJ1fmI8OpKy5DE90aWSg/7qo
-98J0H4gq0IZTd00QymDI8JQ97NF9mmaF+tKg1PCF77EP12nk1OnJ/X9etvNy+V8L
-gWV6IAgJr8q1qLWh3FopCghI9sBDQBbM/cdgv/5jCTVKyH9zUzkw00K+Nvk26mFg
-e3x3fN1soV6rEkZmtVM+e5l0NiIR1/0A2cX/SYJ8f+kB6XgW11Y=
-=bdBU
-----END PGP SIGNATURE-----
--- a/krb5-1.19.1.tar.gz
+++ b/krb5-1.19.1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fa16f87eb7e3ec3586143c800d7eaff98b5e0dcdf0772af7d98612e49dbeb20b
+size 8738142
--- a/krb5-1.19.1.tar.gz.asc
+++ b/krb5-1.19.1.tar.gz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmAuntAACgkQDLoIV1+D
+ct8TIhAArFittFBcz4ZfMxqhHVGdK6kOeQXrrV27d3FW6y28BvS7yHJ8CkyK+I3g
+4rsaaf7srkH8jaiCjmjHC2rWJIuceOwkD4GRqXtb2CiqKxXI9eZ+g9ipB7DGKixg
+1nki7mOhd3oaeUkCRFXgyiOqSE/ird7/itLYzEoAroLpTazNp6Kk4gXmhJIENlq
+dj1God+JxhuwzzWZRdsy2SyvMQPQMOTIilsXRboObZFvPrhZKkJmgNm+RzU/YRSg
+/1Po7takBXq8qhgnwPHTnTPb+BYRdrqQc/a2WcmEdgbzeMpijNmkFsgAFeKDijSz
+1nmFO4SQd/rAfgUovkDd+GMAYZ6DCLFqoI/WeKOgCrRMxJMMRbLlr48bTvMwjuIl
+xE5gy8h2Iju/UP1lxz8KheCm/FyNzNw4pe74zbGgK5fdiEQ8xNlKZOs9LRrtvyfL
+j1G+IX6cK+5yTo/NceYjnHVAatbuW6C6xJmsIQ1GYdMPvto7Wctq/4/BmwxqgFAJ
+HCPuQgAGi875JpPYvi/c3tioRiIPwOz54CXCrcFyKELvgHi6lGN6MRNSzAP4QdA0
+HlXZQ4/4NFOJxjLGu9ZXKUbYPaGizhI+ayzg5/RJLHPIgW7yLvwFqkBIa1xs26bA
+xiP5JKuDC4mqDPwVjwpufkUBH6SoBFnbiIWEYSKVPLJFw+Dbhv0=
+=PP6r
+-----END PGP SIGNATURE-----
--- a/krb5-mini.changes
+++ b/krb5-mini.changes
@ -1,3 +1,50 @@
+-------------------------------------------------------------------
+Fri Feb 19 12:10:25 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
+
+- Update to 1.19.1
+  * Fix a linking issue with Samba.
+  * Better support multiple pkinit_identities values by checking whether
+    certificates can be loaded for each value.
+
+-------------------------------------------------------------------
+Fri Feb  5 10:36:51 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
+
+- Update to 1.19
+  Administrator experience
+    * When a client keytab is present, the GSSAPI krb5 mech will refresh
+      credentials even if the current credentials were acquired manually.
+    * It is now harder to accidentally delete the K/M entry from a KDB.
+  Developer experience
+    * gss_acquire_cred_from() now supports the "password" and "verify"
+      options, allowing credentials to be acquired via password and
+      verified using a keytab key.
+    * When an application accepts a GSS security context, the new
+      GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
+      both provided matching channel bindings.
+    * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests
+      to identify the desired client principal by certificate.
+    * PKINIT certauth modules can now cause the hw-authent flag to be set
+      in issued tickets.
+    * The krb5_init_creds_step() API will now issue the same password
+      expiration warnings as krb5_get_init_creds_password().
+  Protocol evolution
+    * Added client and KDC support for Microsoft's Resource-Based Constrained
+      Delegation, which allows cross-realm S4U2Proxy requests. A third-party
+      database module is required for KDC support.
+    * kadmin/admin is now the preferred server principal name for kadmin
+      connections, and the host-based form is no longer created by default.
+      The client will still try the host-based form as a fallback.
+    * Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT
+      extension, which causes channel bindings to be required for the
+      initiator if the acceptor provided them. The client will send this
+      option if the client_aware_gss_bindings profile option is set.
+  User experience
+    * kinit will now issue a warning if the des3-cbc-sha1 encryption type is
+      used in the reply. This encryption type will be deprecated and removed
+      in future releases.
+    * Added kvno flags --out-cache, --no-store, and --cached-only
+      (inspired by Heimdal's kgetcred).
+
 -------------------------------------------------------------------
 Thu Nov 19 09:30:13 UTC 2020 - Samuel Cabrero <scabrero@suse.de>

--- a/krb5-mini.spec
+++ b/krb5-mini.spec
@ -1,7 +1,7 @@
 #
 # spec file for package krb5-mini
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -24,7 +24,7 @@
  %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           krb5-mini
-Version:        1.18.3
+Version:        1.19.1
 Release:        0
 Summary:        MIT Kerberos5 implementation and libraries with minimal dependencies
 License:        MIT
--- a/krb5.changes
+++ b/krb5.changes
@ -1,3 +1,50 @@
+-------------------------------------------------------------------
+Fri Feb 19 12:10:25 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
+
+- Update to 1.19.1
+  * Fix a linking issue with Samba.
+  * Better support multiple pkinit_identities values by checking whether
+    certificates can be loaded for each value.
+
+-------------------------------------------------------------------
+Fri Feb  5 10:36:51 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
+
+- Update to 1.19
+  Administrator experience
+    * When a client keytab is present, the GSSAPI krb5 mech will refresh
+      credentials even if the current credentials were acquired manually.
+    * It is now harder to accidentally delete the K/M entry from a KDB.
+  Developer experience
+    * gss_acquire_cred_from() now supports the "password" and "verify"
+      options, allowing credentials to be acquired via password and
+      verified using a keytab key.
+    * When an application accepts a GSS security context, the new
+      GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
+      both provided matching channel bindings.
+    * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests
+      to identify the desired client principal by certificate.
+    * PKINIT certauth modules can now cause the hw-authent flag to be set
+      in issued tickets.
+    * The krb5_init_creds_step() API will now issue the same password
+      expiration warnings as krb5_get_init_creds_password().
+  Protocol evolution
+    * Added client and KDC support for Microsoft's Resource-Based Constrained
+      Delegation, which allows cross-realm S4U2Proxy requests. A third-party
+      database module is required for KDC support.
+    * kadmin/admin is now the preferred server principal name for kadmin
+      connections, and the host-based form is no longer created by default.
+      The client will still try the host-based form as a fallback.
+    * Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT
+      extension, which causes channel bindings to be required for the
+      initiator if the acceptor provided them. The client will send this
+      option if the client_aware_gss_bindings profile option is set.
+  User experience
+    * kinit will now issue a warning if the des3-cbc-sha1 encryption type is
+      used in the reply. This encryption type will be deprecated and removed
+      in future releases.
+    * Added kvno flags --out-cache, --no-store, and --cached-only
+      (inspired by Heimdal's kgetcred).
+
 -------------------------------------------------------------------
 Thu Nov 19 09:30:13 UTC 2020 - Samuel Cabrero <scabrero@suse.de>

--- a/krb5.spec
+++ b/krb5.spec
@ -1,7 +1,7 @@
 #
 # spec file for package krb5
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -21,7 +21,7 @@
  %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           krb5
-Version:        1.18.3
+Version:        1.19.1
 Release:        0
 Summary:        MIT Kerberos5 implementation
 License:        MIT